發(fā)布時(shí)間：2018-05-07 02:17

  本文選題：云計(jì)算 + 云安全�。� 參考：《北京科技大學(xué)》2017年博士論文

【摘要】：云計(jì)算是一種基于因特網(wǎng)的新一代計(jì)算模型,不僅可提供海量計(jì)算和數(shù)據(jù)資源訪問,也是一種可根據(jù)用戶需求配置的按需訪問模型。然而,云計(jì)算的開放性和動(dòng)態(tài)可配置性也使得云計(jì)算安全問題日趨嚴(yán)重,已成為威脅云計(jì)算環(huán)境并影響其廣泛應(yīng)用的重要挑戰(zhàn)。為了解決這一問題,訪問控制技術(shù)已經(jīng)被引入到云計(jì)算中,但是現(xiàn)有訪問控制系統(tǒng)對于云計(jì)算所特有的由租戶主導(dǎo)的動(dòng)態(tài)資源按需分配、大用戶行為分析和授權(quán)管理等方面仍然具有較大不足,因此,構(gòu)造一種滿足云計(jì)算平臺(tái)安全需求的訪問控制模型在理論研究和應(yīng)用實(shí)踐中都還有待于進(jìn)一步深化和完善。近年來,屬性基訪問控制(ABAC)已經(jīng)引起了學(xué)者們相當(dāng)大的興趣,這源于它能夠利用相關(guān)實(shí)體(如主體、客體、環(huán)境、操作等)的屬性作為授權(quán)的基礎(chǔ),將數(shù)據(jù)擁有者的訪問許可通過訪問策略方式授權(quán)給系統(tǒng),且訪問策略依賴于屬性之間的相互信任關(guān)系。目前,ABAC被認(rèn)為是新一代訪問控制系統(tǒng)的基石,也被認(rèn)為是解決云計(jì)算安全問題的理想技術(shù)之一。本篇論文的目標(biāo)是通過引進(jìn)一些用戶行為的概念改善現(xiàn)有的ABAC,使之滿足大用戶群下根據(jù)客戶端行為可信性度量對系統(tǒng)資源按需配置的安全需求。針對上述現(xiàn)實(shí)需求,本文致力于研究在云計(jì)算環(huán)境中基于客戶動(dòng)態(tài)行為進(jìn)行可信授權(quán)的問題,并根據(jù)對現(xiàn)有訪問控制模型的分析和與云計(jì)算訪問控制模型相關(guān)的比較,提出了三種新的適用于云計(jì)算環(huán)境的訪問控制方案。我們所提出的訪問控制方案具有如下性質(zhì):Ⅰ.提出一個(gè)基于屬性規(guī)則的訪問控制(AR-ABAC)方案,通過引入一個(gè)新的概念,稱為屬性規(guī)則(AR),定義了一個(gè)關(guān)于應(yīng)該使用哪種屬性和應(yīng)該考慮多少屬性來進(jìn)行訪問判定的協(xié)議;并且,給出了這些屬性規(guī)則的驗(yàn)證機(jī)制.可以足夠靈活地在云訪問控制模型中執(zhí)行特權(quán)的分配和解除。上述機(jī)制可確保在潛在非信任租戶中的安全資源共享,并且支持在相同會(huì)話中同一用戶的不同的訪問許可。實(shí)驗(yàn)結(jié)果表明,AR-ABAC適用于云架構(gòu)IaaS,并且根據(jù)被考慮的屬性以及并發(fā)請求的數(shù)目,AR-ABAC中策略引擎通信中令牌生成的平均時(shí)間是小的和可接受的。Ⅱ.提出一個(gè)多因素信任基訪問控制(TB-AC)方案,在該方案中為了實(shí)現(xiàn)這樣的動(dòng)態(tài)用戶行為的授權(quán),基于三種不同的因素:屬性、觀察和推薦,以及它們之間的語義關(guān)系,引入了一種新的"信任關(guān)系"定義。并以此為基礎(chǔ),通過在一個(gè)特定的時(shí)間內(nèi)將惡意用戶列入共享黑名單,提出了一種獎(jiǎng)勵(lì)/懲罰用戶的新型激勵(lì)機(jī)制。上述機(jī)制能有效處理動(dòng)態(tài)用戶的行為,因?yàn)樗氖跈?quán)判定基于用戶的信任層次。實(shí)驗(yàn)結(jié)果表明,所提TB-AC方案能在合理的和可接受的運(yùn)行時(shí)間內(nèi)有效的評估不同場景中不同用戶行為的訪問請求,并且該方案被證明是可用的和可擴(kuò)展的。Ⅲ.提出一個(gè)密碼學(xué)的自適應(yīng)多權(quán)威機(jī)構(gòu)云訪問控制(AC-MAC)方案,在方案中引入了基于多權(quán)威機(jī)構(gòu)的"信任屬性"的概念,可將不同數(shù)目用戶屬性的訪問策略集成在密文策略屬性基加密(CP-ABE)中;并在此基礎(chǔ)上給出了一個(gè)實(shí)際的密碼學(xué)構(gòu)造,它允許用戶多次以不同的屬性集合向多權(quán)威的機(jī)構(gòu)請求訪問,但只有得到權(quán)威機(jī)構(gòu)認(rèn)可,才能進(jìn)行解密和訪問資源,從而使得上述機(jī)制能在信任層次上更安全、有效地抵抗惡意攻擊者。本文不僅對上述構(gòu)造提供了安全性證明,還進(jìn)行了足夠的實(shí)驗(yàn),實(shí)驗(yàn)表明加解密的平均時(shí)間對于擁有者和用戶來說都是可接受的。本文通過在私有云環(huán)境(基于OpenStack構(gòu)建的IaaS平臺(tái))中對上述方案進(jìn)行集成和測試,并對每個(gè)方案的性能和安全性進(jìn)行了分析,將其與相同條件下現(xiàn)有的訪問控制模型進(jìn)行了對比,實(shí)驗(yàn)結(jié)果表明提出模型具有較好的可擴(kuò)展性和安全性,展示了所提出的三種訪問控制模型的優(yōu)勢。
[Abstract]:Cloud computing is a new generation of computing model based on the Internet, which not only provides massive computing and data access, but also an on-demand access model that can be configured according to user requirements. However, the openness and dynamic configurability of the cloud computing also make the cloud computing security increasingly serious. It has become a threat to cloud computing environment and has been affected. In order to solve this problem, access control technology has been introduced into the cloud computing, but the existing access control system is allocated to the dynamic resource dominated by the tenant, and the large user behavior analysis and authorization management are still very inadequate. The access control model for the security requirements of the foot cloud computing platform has yet to be further deepened and perfected in both theoretical and practical applications. In recent years, the attribute based access control (ABAC) has attracted considerable interest from scholars, which is derived from its ability to use the attributes of the related entities, such as the subject, object, environment, and operation, as authorization. ABAC is considered to be the cornerstone of the new generation access control system and is considered to be one of the rationale technologies for solving the problem of cloud computing security. The goal of this paper is to be introduced through introduction. The concept of some user behavior improves the existing ABAC to meet the security requirements of the system resource according to the client's behavior credibility measurement under the large user group. The analysis of the model and the comparison with the cloud computing access control model, three new access control schemes for cloud computing environment are proposed. The access control schemes we propose have the following properties: 1. An access control (AR-ABAC) scheme based on attribute rules is proposed, which is called attribute by introducing a new concept. AR, defines an agreement on which attributes should be used and how many attributes should be considered; and the verification mechanism of these property rules is given. It can be flexible enough to perform the allocation and release of privileges in the cloud access control model. The mechanism ensures the security of the potential untrusted tenants. Full resource sharing and support for different access licenses for the same user in the same session. Experimental results show that AR-ABAC is suitable for Cloud Architecture IaaS, and based on the attributes considered and the number of concurrent requests, the average time of token generation in policy engine communication in AR-ABAC is small and acceptable. The trust based access control (TB-AC) scheme, based on three different factors, attributes, observations and recommendations, and the semantic relationships between them, introduces a new "trust relationship" definition in this scheme to implement such dynamic user behavior, based on which a malicious user is included in a specific time. A new incentive mechanism for rewarding / punishing users is proposed. The above mechanism can effectively handle dynamic user behavior, because its authorization decision is based on the user's trust level. The experimental results show that the proposed TB-AC scheme can effectively evaluate different user lines in different scenarios within a reasonable and acceptable runtime. The scheme is proved to be available and extensible. Thirdly, an adaptive and multi authority mechanism of cloud access control (AC-MAC) is proposed. In the scheme, the concept of "trust attribute" based on multi authority mechanism is introduced in the scheme, and the access strategy of different number of user attributes can be integrated into the attribute base of the ciphertext policy. In encryption (CP-ABE), an actual cryptographic structure is given on this basis, which allows users to request access to multiple authoritative institutions many times with different sets of attributes, but only by authoritative institutions can they be decipher and access resources, thus making the mechanism more secure and effectively resistant to malice on the level of trust. An attacker. This article not only provides security proof for the above construction, but also carries out sufficient experiments. The experiment shows that the average time for encryption and decryption is acceptable for both the owner and the user. This paper integrates and tests the above schemes in the private cloud environment (based on the IaaS platform based on OpenStack), and for each scheme The performance and security are analyzed and compared with the existing access control models under the same conditions. The experimental results show that the proposed model has good scalability and security, and shows the advantages of the proposed three access control models.

【學(xué)位授予單位】：北京科技大學(xué)
【學(xué)位級(jí)別】：博士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP309
，

本文編號(hào)：1854956